Description

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Remediation

References

CVE-2018-7489

Related Vulnerabilities

WordPress Plugin Roomcloud Multiple Cross-Site Scripting Vulnerabilities (1.1)

Squid Improper Input Validation Vulnerability (CVE-2021-31808)

GibbonEdu Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-40492)

WordPress Plugin Kindeditor For WordPress Cross-Site Scripting (1.3.3)

WordPress Plugin Vospari Forms Cross-Site Scripting (1.3)

Severity

Critical

Classification

CVE-2018-7489 CWE-184 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities